Package Signing

2012-03-15 03:31 UTC
  • Xyne

About

The purpose of this page is to provide an additional source for users attempting to verify the IDs of the Arch Linux master keys. See the Arch wiki to learn about package signing in Arch.

Master Keys

Allan posted the following import script on his blog. It will import the Arch Linux master keys and assign them marginal trust, which is sufficient to estable the web of trust for all official Arch Linux packages. I have cross-checked the key references in this script against several sources (Arch website, email lists, and pgp.mit.edu) and I am convinced that they are correct. I repost this script here to provide another independent source which users may consult to verify the keys themselves.

for key in FFF979E7 CDFD6BB0 4C7EA887 6AC6A4C2 824B18E8; do
    pacman-key --recv-keys $key
    pacman-key --lsign-key $key
    printf 'trust\n3\nquit\n' | gpg --homedir /etc/pacman.d/gnupg/ \
        --no-permission-warning --command-fd 0 --edit-key $key
done

Here’s the same script, signed.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

for key in FFF979E7 CDFD6BB0 4C7EA887 6AC6A4C2 824B18E8; do
    pacman-key --recv-keys $key
    pacman-key --lsign-key $key
    printf 'trust\n3\nquit\n' | gpg --homedir /etc/pacman.d/gnupg/ \
        --no-permission-warning --command-fd 0 --edit-key $key
done
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJPYWENAAoJEFztgbfC5cDSzxsH/RRcYlkIUwdrg/U7NBO9KtJL
m3hJmdvNCXuCBcUALAeEmEz8oJCegXfKhIY87y4alLywW1yInuSxRCvnpKzSmGQ9
285WeGCjXVMf/qzUHjL68mIafBVCeCOMAwzBoomFpsn/mdQbrE8Xc+0K0FUGDvt8
PXbGco13g+o7kP5wsKvyDMm2BXY9UOjQYwOnBsqo+72sN1fbdHiHsx/OPVsT3H+0
HTk+XogCBY/1iRVvduUmcE472oTjwb7bSSymy7cPNknUw7iPeJUs3Ol8Irx6NXQ3
wXsJ2PKjFkGecnJhtA+kKRH0QbXgKc0wlA9vhFC6rzAcbJWXjj4tNXkob7RlV24=
=zVRh
-----END PGP SIGNATURE-----

The keys should match the keys listed here.

Contact
echo xyne.archlinux.ca | sed 's/\./@/'
Feeds
Blog News
Validation
XHTML 1.0 Strict CSS level 3 Atom 1.0